OCC Updates Third-Party Risk Management Guidance

November.04.2013

On October 30, the OCC issued Bulletin 2013-29 to update guidance relating to third-party risk management. The Bulletin, which rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, including joint ventures, affiliates or subsidiaries, and payment processors. It is substantially more prescriptive than CFPB Bulletin 2012-3, and incorporates third-party relationship management principles underlying recent OCC enforcement actions.

The Bulletin warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” It outlines a “life cycle” approach and provides detailed descriptions of steps that a bank should consider taking at five important stages:

Planning: A third party relationship should begin with an internal assessment of risks relating to third parties in general, and to the intended third party in particular. Such planning should focus on both the potential impact to the bank and the bank’s customers, as well as potential security, regulatory, and legal ramifications.

Due Diligence and Third Party Selection: The Bulletin requires that the bank conduct an adequate due diligence review of the third party prior to entering a contract. Proper due diligence includes a thorough evaluation of all potential third parties, and the degree of diligence should be commensurate with the level of risk and complexity. In particular, banks should look to external organizations such as trade associations, the Better Business Bureau, the FTC, and state regulators when performing diligence on consumer-facing third parties. While prior Bulletin 2001-47 contained a list of potential items for due diligence review, Bulletin 2013-29 describes them in more detail and adds to the specific areas that due diligence should focus on, including:

Legal and regulatory compliance: The bank should “evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes and controls to enable the bank to remain compliant with domestic and international laws and regulations;”

Fee structure and incentives: The bank should determine if the fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank;

Risk management systems: The bank should have adequate policies, procedures, and internal controls, as well as processes to escalate, remediate, and hold management accountable for audit and independent testing reviews;

Human resource management: The bank should review the third party’s training program and processes to hold employees accountable for compliance with policies and procedures; and

Conflicting contractual arrangements: The bank should check a third-party vendor’s contractual arrangements with other third parties, which may indemnify the vendor and may therefore expose the bank to additional risk.

Contract Negotiation: All relationships should be documented by a written contract that clearly defines the responsibilities of both the bank and the third party. Among other things, the contract should provide for performance benchmarks, information retention, the right to perform an audit, and OCC supervision. Bulletin 2013-29 expands upon Bulletin 2001-47 with respect to the following areas:

Legal and regulatory compliance: Contracts should require compliance with applicable laws and regulations, including GLBA, BSA/AML, OFAC, and fair lending, as well as other consumer protection laws and regulations;

Audits and remediation: Contracts should provide for the bank’s right to conduct audits and periodic regulatory compliance reviews, and to require remediation of issues identified;

Indemnification: Contracts should include indemnification as appropriate for noncompliance with applicable law, and for failure to obtain any necessary intellectual property licenses;

Consumer complaints: The bank should specifically require the third party to submit “sufficient, timely, and usable information on consumer complaints to enable the bank to analyze customer complaint activity and trends for risk management purposes;” and

Subcontractor management: The bank should incorporate provisions specific to the third party’s own use of subcontractors, including obligations to report on conformance with performance measures and compliance with laws and regulations, and should reserve the right to terminate the contract if the subcontractors do not meet the third party’s obligations to the bank.

Ongoing Monitoring: The bank should dedicate sufficient staff to monitor the third party’s activities throughout the relationship as it may change over time. Bulletin 2013-29 expands upon Bulletin 2001-47 in the following notable ways:

Legal and regulatory compliance: The bank should monitor third-party vendors for compliance with all applicable laws and regulations;

Early identification of issues: The bank should consider whether the third party has the ability to effectively manage risk by self-identifying and addressing issues;

Subcontractor management: The bank should continuously monitor a third-party vendor’s reliance on or exposure to subcontractors and perform ongoing monitoring and testing of subcontractors; and

Consumer complaints: The bank should monitor the “volume, nature, and trends” of consumer complaints relating to the actions of third-party vendors, particularly those that may indicate compliance or risk management deficiencies.

Termination: The Bulletin specifies for the first time a termination “stage” in the third-party relationship management life cycle. Banks should develop a contingency plan for the end of the relationship, either through the normal course or in response to default. The contingency plan may transfer functions to a different third party or in-house.

The Bulletin defines as “critical” any activities involving significant bank functions (payments, clearing, settlements, and contingency planning); significant shared services (information technology); or other activities that (i) could cause a bank to face significant risk as a result of third-party failures, (ii) could have significant customer impacts, (iii) involve relationships that require significant investments in resources to implement and manage, and (iv) could have a major impact on bank operations if an alternate third party is required or if the outsourced activity must be brought in-house.

These “critical” activities should be the focus of special, enhanced risk management processes. Specifically, the bank should conduct more extensive due diligence on the front end, provide summaries of due diligence to the board of directors, ensure that the board of directors reviews and approves third-party contracts, engage in more comprehensive ongoing monitoring of the third party’s performance and financial condition (including, potentially, a look comparable to the analysis the bank would perform when extending credit), ensure that the board of directors reviews the results of ongoing monitoring, and periodically arrange for independent testing of the bank’s risk controls.

Finally, the Bulletin sets forth obligations and responsibilities relating to third-party relationships from the bank employees who manage them to the board of directors, including retention of due diligence results, findings, and recommendations, as well as regular reports to the board and senior management relating to the bank’s overall risk management process.

Questions regarding the matters discussed may be directed to any other Orrick attorney with whom you have consulted in the past.

Authors

Christopher Witeck Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8051
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Christopher Witeck Partner

Washington, D.C.

Chris has an active practice representing financial services entities in negotiating a wide variety of corporate transactions, including company M&A, asset purchases and critical vendor and other third-party relationships. His clients include banks, mortgage companies and servicers, marketplace and other lenders, fintech and emerging payments providers and other business entities in the financial services industry.

Chris’ M&A work emphasizes transactions that involve regulatory risks and concerns or novel structures at the forefront of industry trends. He also represents buyers and sellers of mortgage loans and other consumer lending assets, including interests such as mortgage servicing rights. He regularly negotiates many varieties of servicing and subservicing contracts.

He also advises clients on outsourcing, joint venture and bank partner agreements, particularly in the fintech and e-commerce arena, providing years of experience addressing “true lender” issues. He also advises clients on loan repurchase and indemnity matters as well as corporate governance and compliance matters.

His regulatory practice focuses on advising lenders and servicers on matters involving the Real Estate Settlement Procedures Act (RESPA), including affiliated business arrangements, portfolio retention transactions and vendor management issues.

Chris is recognized by Chambers USA for Fintech: Payments & Lending, which cited his capabilities “advising on regulatory compliance, commercial contracts matters and transactional work, with notable expertise handling M&A in the financial services sector.”

He was previously Co-Managing Partner and a member of the partner board at Buckley LLP. Before attending law school, he worked at the U.S. Department of State.

Jon Langlois Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8045
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Jon Langlois Partner

Washington, D.C.

He represents banks, nonbanks, fintechs, private equity and other financial services companies in a variety of corporate and transactional matters, particularly those involving residential mortgage and consumer loans, mortgage servicing rights, and servicing and subservicing relationships. He combines practical strategic advice with a deep knowledge of consumer lending and servicing to provide efficient, successful results.

In addition to his transaction practice, Jon assists clients on a wide range of regulatory issues, including compliance with key consumer financial laws, such as the Truth in Lending Act (TILA), Real Estate Settlement Procedures Act (RESPA), Fair Debt Collection Practices Act (FDCPA), unfair, deceptive, or abusive acts and practices (UDAAP), and other consumer protection issues.

Prior to joining Orrick, Jon was a partner at Buckley LLP. While in law school, he was a Legislative Analyst with Wilmer Cutler Pickering Hale and Dorr LLP, and a Government Affairs Representative with the American Financial Services Association.

Jeffrey Naimon Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8030
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Jeffrey Naimon Partner

Washington, D.C.

He defends financial services companies facing complex examination or enforcement matters before the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and federal and state banking regulators, with a focus on fair lending, unfair, deceptive or abusive acts and practices (UDAAP), loan servicing, privacy and credit reporting, debt collection, servicemember protections and other consumer protection issues.

He assists banks and nonbanks (including fintech entities) structure, negotiate and operate a variety of partnerships, outsourcing programs and other third-party arrangements, including performing due diligence, negotiating transactions and advising on ongoing oversight protocols to meet regulatory expectations for third-party arrangements.

Jeff also assists in negotiating acquisition, capital markets and servicing transactions, advising on how best to structure the transaction to reduce risk and expedite deal closure, performing due diligence and assisting in obtaining the necessary change of control and other regulatory approvals.

Jeff is consistently recognized as a leading lawyer in Financial Services Regulation: Consumer Finance (Compliance) in Chambers USA, which praised him for his "extremely high intellect regarding compliance matters and negotiation skills. There's none better at arguing a disputed point." He is also a Fellow of the American College of Consumer Financial Services Lawyers.

He currently serves as the Co-chair of the Professional Development Task Force and previously served as Co-chair (2011-2013) and Co-vice Chair (2008-2010) of the Truth in Lending Subcommittee of the American Bar Association’s Consumer Financial Services Committee and has authored numerous articles on consumer financial services.

Prior to joining Orrick, Jeff was a partner at Buckley LLP.